Enable LDAP for the XMPP 5apps.com vhost #132
10
data_bags/credentials/ejabberd.json
Normal file
10
data_bags/credentials/ejabberd.json
Normal file
@ -0,0 +1,10 @@
|
||||
{
|
||||
"id": "ejabberd",
|
||||
"5apps_ldap_password": {
|
||||
"encrypted_data": "NjlYL0mMpXmLP2pk1ZSo5mWt+qosx7eh7+duoPc57avQGwPJ6Vxb\n",
|
||||
"iv": "q/py5XYCEXARUEA9\n",
|
||||
"auth_tag": "4xoSjTjLYNzuLvoksf3Thw==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
}
|
||||
@ -26,6 +26,8 @@
|
||||
|
||||
include_recipe "kosmos-postgresql"
|
||||
|
||||
ejabberd_credentials = data_bag_item("credentials", "ejabberd")
|
||||
|
||||
cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do
|
||||
source "pg.sql"
|
||||
mode "0664"
|
||||
@ -55,35 +57,90 @@ postgresql_user 'ejabberd' do
|
||||
password postgresql_data_bag_item['ejabberd_user_password']
|
||||
end
|
||||
|
||||
postgresql_database 'ejabberd' do
|
||||
owner 'ejabberd'
|
||||
action :create
|
||||
notifies :run, "execute[create db schema ejabberd]", :delayed
|
||||
hosts = [
|
||||
{
|
||||
name: "kosmos.org",
|
||||
sql_database: "ejabberd",
|
||||
ldap_enabled: false,
|
||||
append_host_config: <<-EOF
|
||||
modules:
|
||||
mod_muc:
|
||||
host: "kosmos.chat"
|
||||
access:
|
||||
- allow
|
||||
access_admin:
|
||||
- allow: admin
|
||||
access_create: muc_create
|
||||
access_persistent: muc_create
|
||||
max_user_conferences: 1000
|
||||
default_room_options:
|
||||
mam: true
|
||||
EOF
|
||||
},
|
||||
{
|
||||
name: "5apps.com",
|
||||
sql_database: "ejabberd_5apps",
|
||||
ldap_enabled: true,
|
||||
ldap_password: ejabberd_credentials['5apps_ldap_password'],
|
||||
append_host_config: <<-EOF
|
||||
modules:
|
||||
mod_muc:
|
||||
host: "muc.@HOST@"
|
||||
access:
|
||||
- allow: local
|
||||
access_admin:
|
||||
- allow: admin
|
||||
access_create: muc_create
|
||||
access_persistent: muc_create
|
||||
max_user_conferences: 1000
|
||||
default_room_options:
|
||||
anonymous: false
|
||||
public: true
|
||||
members_only: true
|
||||
public_list: false
|
||||
persistent: true
|
||||
mam: true
|
||||
EOF
|
||||
}
|
||||
]
|
||||
|
||||
hosts.each do |host|
|
||||
postgresql_database host[:sql_database] do
|
||||
owner 'ejabberd'
|
||||
action :create
|
||||
notifies :run, "execute[create db schema #{host[:sql_database]}]", :delayed
|
||||
end
|
||||
|
||||
execute "create db schema #{host[:sql_database]}" do
|
||||
user "ejabberd"
|
||||
command "psql #{host[:sql_database]}} < #{Chef::Config[:file_cache_path]}/pg.sql"
|
||||
action :nothing
|
||||
end
|
||||
end
|
||||
|
||||
postgresql_database 'ejabberd_5apps' do
|
||||
owner 'ejabberd'
|
||||
action :create
|
||||
notifies :run, "execute[create db schema ejabberd_5apps]", :delayed
|
||||
end
|
||||
ldap_domain = node['kosmos-dirsrv']['master_hostname']
|
||||
ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
|
||||
ldap_base = "cn=users,dc=kosmos,dc=org"
|
||||
|
||||
execute "create db schema ejabberd" do
|
||||
user "ejabberd"
|
||||
command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.sql"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
execute "create db schema ejabberd_5apps" do
|
||||
user "ejabberd"
|
||||
command "psql ejabberd_5apps < #{Chef::Config[:file_cache_path]}/pg.sql"
|
||||
action :nothing
|
||||
end
|
||||
admin_users = [
|
||||
"greg@5apps.com",
|
||||
"sebastian@5apps.com",
|
||||
"garret@5apps.com",
|
||||
|
|
||||
"raucao@kosmos.org",
|
||||
"greg@kosmos.org",
|
||||
"galfert@kosmos.org"
|
||||
]
|
||||
|
||||
template "/opt/ejabberd/conf/ejabberd.yml" do
|
||||
source "ejabberd.yml.erb"
|
||||
mode 0640
|
||||
sensitive true
|
||||
variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password']
|
||||
variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
|
||||
hosts: hosts,
|
||||
ldap_base: ldap_base,
|
||||
ldap_server: ldap_domain,
|
||||
ldap_encryption_type: ldap_encryption_type,
|
||||
admin_users: admin_users
|
||||
notifies :run, "execute[ejabberdctl reload_config]", :delayed
|
||||
end
|
||||
|
||||
|
||||
@ -7,36 +7,38 @@ log_rotate_count: 1
|
||||
log_rate_limit: 100
|
||||
|
||||
hosts:
|
||||
- "kosmos.org"
|
||||
- "5apps.com"
|
||||
<% @hosts.each do |host| -%>
|
||||
- "<%= host[:name] %>"
|
||||
<% end -%>
|
||||
|
||||
host_config:
|
||||
"kosmos.org":
|
||||
<% @hosts.each do |host| -%>
|
||||
"<%= host[:name] %>":
|
||||
sql_type: pgsql
|
||||
sql_server: "localhost"
|
||||
sql_database: "ejabberd"
|
||||
sql_username: "ejabberd"
|
||||
sql_password: "<%= @pgsql_password %>"
|
||||
"5apps.com":
|
||||
sql_type: pgsql
|
||||
sql_server: "localhost"
|
||||
sql_database: "ejabberd_5apps"
|
||||
sql_database: "<%= host[:sql_database] %>"
|
||||
sql_username: "ejabberd"
|
||||
sql_password: "<%= @pgsql_password %>"
|
||||
<% if host[:ldap_enabled] -%>
|
||||
auth_method: ldap
|
||||
ldap_servers: ["<%= @ldap_server %>"]
|
||||
ldap_rootdn: "cn=xmpp,ou=<%= host[:name] %>,<%= @ldap_base %>"
|
||||
ldap_password: "<%= host[:ldap_password] %>"
|
||||
ldap_encrypt: <%= @ldap_encryption_type %>
|
||||
ldap_base: "ou=<%= host[:name] %>,<%= @ldap_base %>"
|
||||
ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= host[:name] %>,<%= @ldap_base %>)"
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
raucao
commented
Why should we add content to the main config file instead of adding separate files for every vhost? Why should we add content to the main config file instead of adding separate files for every vhost?
greg
commented
I was considering using different files for the vhosts, but then I could not find a way to define the hosts all at once (https://docs.ejabberd.im/admin/configuration/#host-names), so it didn't seem to make much sense to split the config. I'm going to look into what's possible I was considering using different files for the vhosts, but then I could not find a way to define the hosts all at once (https://docs.ejabberd.im/admin/configuration/#host-names), so it didn't seem to make much sense to split the config. I'm going to look into what's possible
raucao
commented
So just because of a single additional line per host it doesn't make sense to split out all the rest? I don't quite follow to be honest. So just because of a single additional line per host it doesn't make sense to split out all the rest?
I don't quite follow to be honest.
|
||||
|
||||
<% if (File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key")) ||
|
||||
(File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key")) -%>
|
||||
<% if @hosts.any? { |host| File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") } -%>
|
||||
certfiles:
|
||||
<% if File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key") -%>
|
||||
- "/opt/ejabberd/conf/kosmos.org.crt"
|
||||
- "/opt/ejabberd/conf/kosmos.org.key"
|
||||
<% end -%>
|
||||
<% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key") -%>
|
||||
- "/opt/ejabberd/conf/5apps.com.crt"
|
||||
- "/opt/ejabberd/conf/5apps.com.key"
|
||||
<% @hosts.each do |host| -%>
|
||||
<% if File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") -%>
|
||||
- "/opt/ejabberd/conf/<%= host[:name] %>.crt"
|
||||
- "/opt/ejabberd/conf/<%= host[:name] %>.key"
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
ca_file: "/opt/ejabberd/conf/cacert.pem"
|
||||
|
||||
define_macro:
|
||||
@ -113,12 +115,9 @@ max_fsm_queue: 10000
|
||||
acl:
|
||||
admin:
|
||||
user:
|
||||
- "greg@5apps.com"
|
||||
- "sebastian@5apps.com"
|
||||
- "garret@5apps.com"
|
||||
- "raucao@kosmos.org"
|
||||
- "greg@kosmos.org"
|
||||
- "galfert@kosmos.org"
|
||||
<% @admin_users.each do |admin| -%>
|
||||
- "<%= admin %>"
|
||||
<% end -%>
|
||||
|
||||
local:
|
||||
user_regexp: ""
|
||||
@ -232,14 +231,9 @@ modules:
|
||||
- "pep" # pep requires mod_caps
|
||||
mod_push: {}
|
||||
mod_push_keepalive: {}
|
||||
# Allow existing accounts to change their password
|
||||
mod_register:
|
||||
welcome_message:
|
||||
subject: "Welcome!"
|
||||
body: |-
|
||||
Hi.
|
||||
Welcome to this XMPP server.
|
||||
ip_access: trusted_network
|
||||
access: register
|
||||
access: none
|
||||
mod_roster:
|
||||
versioning: true
|
||||
store_current_id: true
|
||||
@ -254,37 +248,10 @@ modules:
|
||||
mod_http_api: {}
|
||||
|
||||
append_host_config:
|
||||
"5apps.com":
|
||||
modules:
|
||||
mod_muc:
|
||||
host: "muc.@HOST@"
|
||||
access:
|
||||
- allow: local
|
||||
access_admin:
|
||||
- allow: admin
|
||||
access_create: muc_create
|
||||
access_persistent: muc_create
|
||||
max_user_conferences: 1000
|
||||
default_room_options:
|
||||
anonymous: false
|
||||
public: true
|
||||
members_only: true
|
||||
public_list: false
|
||||
persistent: true
|
||||
mam: true
|
||||
"kosmos.org":
|
||||
modules:
|
||||
mod_muc:
|
||||
host: "kosmos.chat"
|
||||
access:
|
||||
- allow
|
||||
access_admin:
|
||||
- allow: admin
|
||||
access_create: muc_create
|
||||
access_persistent: muc_create
|
||||
max_user_conferences: 1000
|
||||
default_room_options:
|
||||
mam: true
|
||||
<% @hosts.each do |host| -%>
|
||||
"<%= host[:name] %>":
|
||||
<%= host[:append_host_config].chomp %>
|
||||
<% end -%>
|
||||
|
||||
allow_contrib_modules: true
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user
I don't think any other pro customer would have their users get global admin accounts for the entire Kosmos XMPP server.
I also think that these should come from an encrypted data bag, because I don't see any benefits to publishing admin account data, but only drawbacks.
Good point, I have moved the admin users to an encrypted data bag